Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for key wrapping (v2) #224

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

athoelke
Copy link
Contributor

This PR replaces #215, simplifying the API to only support key wrapping algorithms, and not wrapped-key formats. Wrapped-key formats will be considered later, along with import and export of formatted key data (see also #50, #149 and #207 for more discussion).

This added the psa_wrap_key() and psa_unwrap_key() functions, and support for AES-KW and AES-KWP algorithms.

Open issues:

  1. NIST 800-38F describes a generalised AES-KW and AES-KWP to support any 128-bit 'approved block cipher', which exactly matches RFC 3394 and RFC 5649 definitions for the AES block cipher. Is it valuable to define this as the more general algorithm identifier, compatible with any 128-bit block cipher key, or just keep the AES-specific name and AES-only compatibility?

  2. I have allocated a new algorithm category, as key-wrapping algorithms tend to be specialized authenticated encryption. However, AES-SIV can be used as a general AEAD algorithm, as well as a key-wrapping algorithm. Would that be problematic?

  3. I have recycled the 'S' bit in the algorithm identifier to flag whether the algorithm has alignment constraints on the input data (AES-KW does, AES-KWP does not) - similar to block-aligned sizes for some block-mode ciphers. Is this at all useful, or should we just make this bit 0 for key-wrap algorithms?

Partly fixes #50

* psa_wrap_key() and psa_unwrap_key() functions
* AES-KW and AES-KWP algorithms
@athoelke athoelke added enhancement New feature or request API design Related the design of the API Crypto API Issue or PR related to the Cryptography API labels Oct 24, 2024
@athoelke athoelke added this to the Crypto API 1.3 milestone Oct 24, 2024
@athoelke athoelke self-assigned this Oct 24, 2024
@@ -375,6 +380,9 @@ typedef struct psa_custom_key_parameters_t {
/* implementation-defined value */
#define PSA_TLS12_ECJPAKE_TO_PMS_OUTPUT_SIZE 32
#define PSA_TLS12_PSK_TO_MS_PSK_MAX_SIZE /* implementation-defined value */
#define PSA_WRAP_KEY_OUTPUT_SIZE(wrap_key_type, alg, key_type, key_bits) \
/* implementation-defined value */
#define PSA_WRAP_KEY_PAIR_MAX_SIZE /* implementation-defined value */

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would expect PSA_WRAP_KEY_OUTPUT_MAX_SIZE instead of PSA_WRAP_KEY_PAIR_MAX_SIZE.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

psa_wrap_key() has the same issue as psa_export_key() in relation to a MAX_SIZE macro for the output. There is no really helpful limit on the size of what can be stored in the keystore, for example certificates could be stored as PSA_KEY_TYPE_RAW_DATA. The description for the output buffer size states:

  • This API defines no maximum size for wrapped symmetric keys. Arbitrarily large data items can be stored in the key store, for example certificates that correspond to a stored private key or input material for key derivation.

For key export, we have PSA_EXPORT_KEY_PAIR_MAX_SIZE, PSA_EXPORT_PUBLIC_KEY_MAX_SIZE and (new for 1.3) PSA_EXPORT_ASYMMETRIC_KEY_MAX_SIZE (which is just the maximum of the other two). The reason for separate key-pair and public-key sizes is that these can be very different values, and most use cases would know which of these is required, permitting a more efficient choice of buffer size.

For key wrapping, I didn't include a macro for wrapped public keys, or asymmetric keys in general as I expected that there is no real use case for simple wrapping of public keys. If this assumption is wrong, I would be happy to add the additional macros to the API, or we might determine that a single one for wrapped asymmetric key maximum size is sufficient.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed, there is no general maximum size for export and key_wrap, thanks for the explanation!

@athoelke athoelke marked this pull request as draft December 4, 2024 10:19
@athoelke athoelke removed this from the Crypto API 1.3 milestone Dec 4, 2024
@athoelke
Copy link
Contributor Author

athoelke commented Dec 4, 2024

After another round of review and consideration, this approach is not convincing.

Although it avoids the challenge of designing the key policy handling that comes with an API for handling wrapped-key formats (see #215), it will result in multiple APIs for key wrapping which is not ideal.

This PR will remain as Draft for the time being - this API should be considered experimentatal/Beta. We will revisit the API for wrapping and unwrapping keys after v1.3.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
API design Related the design of the API Crypto API Issue or PR related to the Cryptography API DO NOT MERGE enhancement New feature or request
Projects
Development

Successfully merging this pull request may close these issues.

Add APIs to support wrapped keys
2 participants